Metasploit Pro First to Offer Team Collaboration to Increase Efficiency of Security Testing

BOSTON, Mass. – October 19, 2010 – Rapid7®, the leading provider of unified vulnerability management and penetration testing solutions, today announced the availability of Metasploit Pro™, the new software for security professionals in enterprises, government agencies and consulting firms who need to make network security testing more efficient to reduce costs. Unlike alternative products, Metasploit Pro improves the efficiency of penetration testers by providing unrestricted remote network access and enabling teams to collaborate efficiently. Metasploit Pro exceeds the functionality of Metasploit Express™ with support for security testing of custom Web applications, managing client-side campaigns against end-users and additional evasion features.

“Metasploit Pro completes our suite of penetration testing products and addresses the needs of the penetration testing expert who requires advanced features,” said Mike Tuchen, Rapid7 president and CEO. “We built Metasploit Pro with the same intuitive interface and efficient workflows of Metasploit Express and added advanced features that enable penetration testers to compromise networks deeper and faster. As a result, they can complete their security testing in less time, greatly reducing the overall impact on security budgets.”

The Metasploit® Framework is the most widely used and mature solution in the market with more than one million unique downloads in the past year and the world’s largest, public database for quality assured exploits. As organizations face increasing threats to complex, business-critical systems, the ability to simulate realistic attacks on their infrastructure in a fast and cost-effective manner is critical. Only Metasploit products are based on the Metasploit Framework, the gold standard for penetration testing, and are therefore best suited to emulate realistic attacks.

And let's not forget this...

Metasploit Pro is available immediately for $15,000 per named user, per year and includes support with dedicated SLAs provided by Rapid7 staff.

This is exciting news. The price is rather hefty, but I believe it is still cheaper than Core IMPACT. I can't wait until someone does a side by side comparison of the two. I will have to play with the trial version in the mean time.

Yes, it's about half the price of Core Impact Pro. Metasploit Pro is designed for professional penetration testers in consulting firms and red teams.

There are also other options available, for example Metasploit Express for $3,000, which is designed for vulnerability management teams who want to correctly assess their risks by checking if a vulnerability is actually exploitable.

Of course, there is always the free, open-source Metasploit Framework. Version 3.5.0 just came out two days ago, so make sure you update your installation if you have it already! The Framework is funded through the commercial editions and contains the same exploits and modules but doesn't include the same web GUI and lacks some of the advanced features such as workflow, web app scanning & exploitation, social engineering campaigns & VPN pivoting.

BTW - you were also asking about a comparison of Core vs Metasploit Pro. Pro is very new, so no public comparison is available yet but check out the HackMiami Pwn-Off between Core Impact Pro and Metasploit Express, which has a smaller feature set than Metasploit Pro.

ckirsch wrote:BTW - you were also asking about a comparison of Core vs Metasploit Pro. Pro is very new, so no public comparison is available yet but check out the HackMiami Pwn-Off between Core Impact Pro and Metasploit Express, which has a smaller feature set than Metasploit Pro.

no, I'm not with HackMiami - yes, they're cool guys. I'm actually with Rapid7, the people behind Metasploit. On this forum to keep the community informed of recent developments and to answer questions about Metasploit.

ckirsch wrote:BTW - you were also asking about a comparison of Core vs Metasploit Pro. Pro is very new, so no public comparison is available yet but check out the HackMiami Pwn-Off between Core Impact Pro and Metasploit Express, which has a smaller feature set than Metasploit Pro.

Ahem Hate to be the bearer of realistic news here, but I think I'll wait until metasploit professional has matured a bit. The difference between Core and Metasploit would be Core's capability and experience at developing weaponized 0day from reversed Patch Tuesday's and advisories.

HDMoore is a helluva guy (hey HD, I know you pop in from time to time) however, Core has some seriously scary guys. HD is literally a one man team (very effective one not to take anything away whatsoever.) Metasploit was and is popular because of the granularity involved with being able to plop in anything your heart desires. From a "geek" slash "hacker" perspective its cool however, from the Whitehat/Crystalbox side of the show... No one is getting their hands dirty. After all, WTH would I be plopping down $30k for Core or to be more precise $3k for a contractor license Two ways to skin a cat here.

Anyhow, unless Rapid7's MSploit Pro is ready to deploy some highly effective unseen exploits immediately, I anticipate MSploit Pro to be a real slow seller. I mean this in a respectful, articulate and "matter of factly" tone so don't confuse it with negativity. Right now, if I can't "get it poppin" with Canvas + Metasploit community + some social engineering, then I move on to Core when financially practical. I can't think of a reason to replace or "assist" my existing tools so it would be a hard pitch to my CTO.

me: "I need MSploit Pro"him: "why I just got you Canvas with exploit packs"me: "Because I uh.... Well metasploit community is limited..."him: "to what... What could it possibly do that you couldn't socially engineer your way in"me: "reports!"

Make sense? Most of the times I have to fight tooth and nail for tools that I need and I have to make my budget money go the distance. I LOVE playing with tools, but until I see something "to the extreme", I would be hard pressed arguing the case to purchase it. I DL'd a copy, just haven't had time to play with it yet. I would love to put it to my OWN testing then make a vid to post As I've shown before, I managed to get more "exploited" with Canvas than I did metasploit: http://www.infiltrated.net/Metasploit-E ... us-Canvas/

Just chiming in real quick; The Metasploit team within Rapid7 consists of six full-time developers, the core community team is another 10, and we leverage the wider community contributions in our products as well. This collaborative approach for the shared core framework is why the commercial versions are more than competitive with other products on the market and why we continue to invest in the community.

The Metasploit commercial products are selling well not because they contain exclusive exploits, but because they make penetration testing relatively simple and handle the annoying parts of security work (automation, auditing, reporting, team collaboration). Most of what you can do in the commercial products can be done with the free framework, this is intentional, and our differentiators are really around how you use the capabilities within the framework, not the capabilities themselves.

The great thing about using the same Metasploit core as the free product is that you can leverage modules written by third-party developers. The exploithub.com project is one approach to getting access to additional exploits, but any exploits developed internally for the free version of Metasploit Framework can be used seamlessly with the commercial products.

HD, thanks for coming back again and clarifying things. First off, thanks for the many years of reading material and keeping metasploit cool. Second, congrats on doing things your way with metasploit even with the Rapid7 purchase/joint venture, I'm sure politricks can be a pain sometimes but hopefully Rapid is smart enough to let you continue running the metasploit show. Thirdly... Yes! I will get around to putting a video on Metasploit Express to counter Metasploit versus Canvas (just really busy) I know I said I would and I haven't forgot...

Anyway, its good to see the numbers (how many developers, etc.), albeit known that many companies don't like sharing this information (perhaps we could go kick chameleon @ eeye). It gives a lot of credibility for those who are unaware of 1) metasploit 2) Rapid7 and 3) the merger/buyout between the two.

Don't get my initial post wrong, I love metasploit, I use it intensely professionally and academically (learning) for a variety of things not limited to penetration testing. I'm aware of ExploitHub's POV and direction and would love to see that pan out. It would likely be a "sick" mashup for pentesters if a ZDI/iDefense approach was taken. "Mix and match your metasploit modules." THAT would be worth it by far.

I spoke with Ivan Arce via email about this one time (pay for play security research) and they (Core) decided it didn't fit their model. THAT is something to think about for a moment. Look @ what Dave @ Immunity has going on with like D2 Exploit pack, etc., or ZDI. Any indications/hints of you guys (Rapid+Metasploit) doing the same - Pay for Play/Security Research/Exploit Wednesdays_to_Metasploit_Modules?